Given all the digital deployment in the Covid era, companies need to have data security audits
Last week, a Delhi-based tutor filed a petition in the Supreme Court asking for a ban on video-conferencing app Zoom for violating user privacy and security. The SC has admitted the petition and has asked the government to respond. While such lawsuits are uncommon in India, many private players in the US have had to pay a heavy price for violating user privacy. In January, Facebook settled a class-action suit in the US for $550 million.
The company was using facial recognition technology without taking prior permission from users. The illegal practice was in contravention of the Illinois Biometric Information Privacy Act. While Facebook and other social media platforms have had to bear the brunt of strict privacy laws in Europe—GDPR rules—and, increasingly, in their home country, India does not have any data laws to protect users. The data protection Bill has been pending before a joint parliamentary committee.
While data protection may not be the government’s primary concern as of now, with more people logging online and companies digitising offices to get work-from-home ready, there is a need for a data protection law wherein companies are made liable for breaches.
Right now, Sections 42, 66, and 72 of the IT Act guarantee some basic protection from data theft, but the Act does not fix liability on companies for ensuring security. As more users log online, there is a need to change this, and not view data casually. Companies must get a security audit of their websites or apps. And, if possible, a security audit of their digital infrastructure. Banks in India are mandated to carry out such audits, so it would not be surprising if companies do the same, hiring security audit firms or colleges for this purpose.